< Back





4. User ID controlled by request parameter, with unpredictable user IDs

Fun problem. We have to access carlos' API key in his my-account/ page, however, we need to know his
userId. This is an example of horizontal privilege escalation. The userIds are GUIDs and
unpredictable, so we need to find somewhere on the site where the userIds are exposed.

Reading the blog posts on the front page, if a user makes a post, their userId is exposed in the
HTML. We scrape the blogs until we find carlos' userId. We login with known credentials,
wiener:peter, and then we visit the my-account?id=/ page with carlos' userId. carlos' API key will
be exposed in the HTML, which we provide to the submitSolution/ page.


Solution